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1. Executive Summary 


Killnet is one of many hacktivist groups that has taken a side in the ongoing Russian invasion of 
Ukraine. There have been more than 100 groups conducting cyberattacks since we published 
our initial analysis at the beginning of the war. Most of the attacks from these groups are 
distributed denials of service (DDoS), but they also include data breaches, data wipers and 
psychological operations (i.e., distributing propaganda). 


These groups include hacktivists such as Killnet, state-sponsored entities such as Sandworm 
and ransomware gangs such as Conti. There are currently more than 70 active groups, located 
mainly in Russia or Ukraine, but also in Belarus (e.g., Belarusian Cyber Partisans), Turkey 
(e.g., Monarch Turkish Hacktivists), Romania (e.g., Anonymous Romania), Poland (e.g., 
Squad303), Portugal (e.g., Anon666) and Italy (e.g., Anonymous Italia). Their coordination and 
the communication of their actions usually happens via either Twitter or Telegram. 


Killnet stands out as one of the most active groups in this conflict, having declared war on 
Anonymous, a group supporting Ukraine, since February 25, 2022. Killnet is located in Russia 
and supports its country in the war, alongside other groups such as Xaknet and, often in joint 
operations, Legion. Killnet has gained certain notoriety for DDoSing the websites of western 
critical infrastructure operators, such as airports, banks, energy providers and governmental 
agencies. Killnet also spreads propaganda to more than 70,000 members of its Telegram 
channel. Killnet hacktivists were part of a recent CISA alert and other reports shared by CERTs 
and ISACs. 


Although the group has been very active, appears to have effective communication, a semi- 
structured organization and managed some level of success in their campaigns, there is no 
evidence that Killnet uses or develops custom tools or even that it reuses very sophisticated 
tools in its attacks. 


In this report, we leverage a list of IP addresses known to be used by Killnet during past 
attacks to study the group's TTPs when attacking a series of honeypots we control (Section 
2.1), which reveals the hacktivist's preference for brute-forcing credentials on TCP ports 21 
(FTP), 80 (HTTP), 443 (HTTPS) and 22 (SSH), and its use of SSH tunneling. We analyze the 
Telegram channels associated with the group (Section 2.2) to confirm Killnet's use of mostly 
L4/L7 DDoS (e.g., SYN flood or resource exhaustion via massive amounts of POST/GET 
requests) and show its point of view on the attacks the group has conducted. We discuss the 
emergence of several copycat groups on Telegram and analyze an example one named 
Wawsquad (Section 2.3). We also provide a list of loCs (3) and mitigation recommendations 
(Section 4). 
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2. Technical Analysis 


2.1. Data from our honeypot 


Our sensors started to observe attacks from IP addresses associated with Killnet from 24 
March, peaking around April 23 and still ongoing up to May 13, 2022. According to our analysis 
of the official Telegram chat of the threat actor (see the next Section), most of the major DDoS 
attacks happened within that timeline. The attackers’ IP addresses consisted mainly of TOR 
exit nodes and known malicious clearnet or proxied addresses. 


Number of attacks over time 
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anonymizer 
= known attacker 


= tor exit node 


In total, we observed 381 attacks coming from 58 unique IP addresses, out of which 56 were 
dictionary attacks, using well-known default credentials in hopes that a victim did not change 
them, coming from 10 different IP addresses. The attacks consisted primarily of querying TCP 
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ports 21 (FTP), 80 (HTTP), 443 (HTTPS) and 22 (SSH), which is in line with the attack 
methods we have observed discussed in the Telegram chat. 


Attacked ports 


350 330 


21 22 80 443 


We have also observed that the brute-force attempts were exclusively against port 22, hinting 
that the threat actor aimed at having persistence/proxying capabilities or that it may be simply 
doing reconnaissance or credential harvesting for later use. The top username used in the 
dictionary attacks was ‘root,’ followed by far fewer attempts on ‘postgres’, 'mcserver' (minecraft 
servers), ‘ts3’ (teamspeak servers) and others. The passwords attempts did not strike any 
significant pattern except for being generally weak. Below is a distribution of top usernames 
and passwords used in the dictionary attacks. 
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Username distribution 


O 


Password distribution 
T 
= 
— 
1 
1 8 
1 


B anonymous 
E camden 

E default 
Ehh 

E jenny 

B mcserver 
E postgres 

B root 


E ts3 


m 2019 

m5150 
12345 

W 123456 

E admin 

B alb 

E anonymous123 

B BEATRICE 
bruno1 

E camden 

E changeme 
decembre 

E eraser 


E fanny1 


The attacking IP addresses that did not execute dictionary attacks tended to repeat attacks 
over a maximum of three days, while the ones that did perform such attacks did not repeat the 
attack again, hinting at different goals of attack scripts associated to each IP. In some 
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instances, when the attacker was tricked into an SSH session, it tried to use our attacker 
engagement environment as a proxy toward google.com by attempting to create SSH tunnels. 


Known Killnet IPs using SSH Target 
forwarding 

171.25.193.78 https://google.com 
185.220.102.242 https://google.com 


We found other attacking IPs, which were not among those initially attributed to Killnet. These 
IPs used the same SSH forwarding technique to the same target within the same time range 
(March 27 to May 15, 2022 ). 


Attacking IPs using similar techniques not in the original Target 

Killnet list 

5.2.69.50 https://google.com 
92.255.85.237 https://google.com 
92.255.85.135 https://google.com 


The attacks on FTP ports mainly executed the SYST command, which returns the system 
type, hinting at reconnaissance only. 


2.2. Telegram chat 


Killnet often makes announcements about planned or successful attacks on its official 
Telegram channel at https://t.me/killnet channel. The content on this channel is heavy with Russian 
propaganda and hate speech toward countries and individuals who do not support Russian 
aggression against Ukraine. As such, viewer discretion is strongly advised. 


The channel was created in January 2022, and the first messages were about attacking the 
Anonymous group (which is allegedly at war with Killnet). The chronology of announced 
attacks began on March 3 with the takedown of a Ukrainian news service — 
https://korrespondent.net — and the Ukrainian branch of Vodafone —hiips://vodafone.ua. These actions 
are justified by the group as “a strike against propaganda." After allegedly attacking the 
Ministry of Interior Affairs of Ukraine and several other Ukrainian resources related to higher 
education, the group proceeded with an attack on the Ministry of the Interior of Latvia on March 
22. 


On March 23, the attackers shifted their focus to Poland, starting with the website of the 
Supreme Court in the Republic of Poland. On the next day, they reported an attack against 
Narodowy Bank Polski 

(National Bank of Poland). As the message below shows, the attackers justify their actions by 
saying that “any kind of aggression from the Polish authorities towards Russia will immediately 
result in massive DDOS attacks against critical network resources of Poland.” Shortly after this 
announcement, the Killnet chat reported a successful attack against the Polish Investment and 
Trading Agency (hitps://www.paih.gov.pl/en), allegedly resulting in a 20Gb data leak. 
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DDOS MAP 


POLAND 


^ Byayujee l'loneckux DNS 


'Tho6an arpeccua or Nonbckoñ enact B CTOpoHy Poccun, 
He3aaMe/VIMTe/IbHO 3anycTMWT UMKN MacCCóWDOBaHHOM ddos araku Ha 
BCe XXW3HeHHO BaXHble M T'OCyAapcTBeHHble CeTeBbie pecypcbi" 


'Kazda agresja ze s polskiej władzy w kierunku Rosji, 
natychmias <I zmasowanego ataku ddos na wszystkie 
istotne i Pans 


Soon after on March 29, Killnet reported a successful attack against a target in the United 
States: the Bradley International Airport (hitos:/www.nbcconnecticut.com/news/local/bradley-airport- 


website-suffers-cyber-attack/2750473/). The attackers’ main point was to prevent any kind of military 
aid to Ukraine: 


it is temporarily impossible to purchase a ticket, we apologize to 
Joe Biden... 


^ This action is not terror, but a hint that the United States 
government is not the master of millions of lives in Europe ... 
When the supply of weapons to Ukraine stops, attacks on the 


information structure of your country will instantly stop! 
- America, no one is afraid of you... 


ATAKA CTOTI CNYCTA 17 HACOB 


A couple of days later, Killnet claimed a successful DDoS attack on the website of CYBERPOL 
(https;//Awww.cyberpol.info/), after which there has been a short gap until April 15 when Killnet 
reported a successful attack against the Federal Ministry of Defence of Germany 
(https://www.bmvg.de/de), claiming they targeted not Germany but “fascism”: 
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IN THE CROSSHAIRS 


ATaka ocTaHoBneHa cnycTa 5 uacos 


Araka Ha OpMUMaNbHbIN caltT MAHACTepcrBa 060poHbl 
TepmaHun 


B [utnep Kanyr 
4 Attack on the official website of the German Ministry of Defense. 
Hello German politicians, | want to ind you of the recent 
upid things. Ukraine has no 
wuch as all of your Europe! 


For the meeting 


ATaka OCTaHOBNeHa cnycTa 5 uacos 


This was immediately followed by several attacks on German airports (Koeln-Bonn, Bremen and 
Hamburg), the Gatwick airport in the UK and eight airports in Poland. Several German financial 
organizations (Commerzbank and KWF among them) were also under attack. During this time, 
Killnet announced a “special attack” which served as a homage to the REvil hacking group: 
They DDoSed the website of the Devon Energy Corporation in the U.S. (htips://devonenergy.com). 
It is unclear at this stage if any critical infrastructure was damaged or if it was just an attack 
against the web-facing resources of the company. 


REvil 


NOCBAUWLAETCHA 


CCWiACKOR xakepckoit rpynnuposKe 


ABNAETCA OAH 


A The attack is dedicated to the Russian hacker group REvil. 


oratior 
n North Ar 
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Albeit targeting organizations in government, transportation and financial sectors, in one of the 
Telegram announcements, the attackers explicitly state that they are not going against 
healthcare targets. At the same time, the attackers choose several “political” targets (Such as 


the and 


), justifying the attackers’ actions by the fact that these organizations spread 


"lies" about the war crimes committed by Russian troops and work with the Ukrainian military 


against Russia. 


WE ARE KILLNET O 


00H @ litedNat 
[nasa BNN OOH s Byve: 
3a Moe CnuHOK pa360M6neHHbilit 


AeTCKN JOM Ha 40 
neteiu. K CHaCTbiO, HMKTO M3 HMX He 
noctpagan. To, uro cnyuunocb c Byyen 
yXXacHo, M CEMbAM 3/ecb HyxHa nongepxka 
BNN OOH BMecre c MecTHOÀ BNacTbIO 
MbITaeTCA NOMOYb KAK MOXHO Ó60/IbuJeMy 
uucny nione 


Ataka ocraHOB/IeHa CrycTA 5 uacoB BpeMeHHo. 


Bei e6anyreie OOH? 
Aepxute renepb yAap... 


Araka Ha oġnųnanbHbiñ cat OOH 
^ htt 


MexyHapoAaHan opraHV3auMs, CO3AAHHAA MNA NOAAEPKAHNA N 
ykpenneHua MexayHapoaHoro mnpa n 6esonacHoCTM, a Take 
paaBVTVR corpyaHMuecrBa MexAy rocyaapcrBaMM. OOH cuutaerca 
yHMBepCaAbHbIM $OpyMOM, HafeNeHHbiM yHMKa/IBHOÜÀ 
DneruTAMHOCTE!IO, Hecyujeiá KoHcTpykuMeit MexiyHapoAHon 
CUCTeMbI KONNEKTHBHOÑ 6e3oniacHOCTM, FNABHbIM 31eMeHTOM 
COBpeMeHHOM MHOrOCTOpoHHel Aunnomatuy. Lura6-keaprupa 
OOH Haxogutca B Hbw-Viopke; y OOH rakxe ecTb 
AONONHUTeNbHble oQucbi B Bene, KeHese n Hañpo6n 


WE ARE KILLNET © 


ATakKa OCTaHOB/IeHa CnycTAa 4 uaca - BpeMeHHO. 


4 OBCE aaHHa8 MexyryHapogiHaR opraHV3auys corpyaHuuaer c 
BCY. Caaér nosuuum Poccuitckux Bolick. BegëT aBoliHyto urpy B 
nonb3y CLUA. 

Mi cuviTaem crnpaBe//MBbIM COBepLiMTb aTaky Ha 
oduuManbHbiii caitr! 


httg 


^ http 
Ataka OCTaHOB/IeHa cnycta 4 uaca - BpeMeHHoO. 


1352 


Ccbinka Ha NOCT 


The time between April 19 and the beginning of May contains a lot of announcements/reports 
about successful attacks against many targets in Europe — Czech Republic, Lithuania, Latvia, 
Estonia, Poland, Romania, UK, France and Italy are among the targeted countries — as well as 
the United States. The rhetoric around these attacks suggests that these countries must drop 
their support of Ukraine and stop “their aggression against Russia.” Some messages contain 
obscenity and “trolling.” However, it is peculiar that the messages are mostly in Russian; 
therefore, it is difficult to say whether the witticisms have reached the intended audience in the 
end. The messages and the corresponding attacks, however, are clearly aimed at wreaking 
havoc among Western countries and shift the opinion of people within these countries about 
the Russian war. The latter clearly suggests there is no financial motivation behind the attacks 
— the motives are purely political. 


From the chat messages, it also becomes clear that Killnet is not a well-defined group, rather a 
conglomerate of smaller hacking groups and individuals that have united in their common goal 
of “making Russia great again” by “fighting fascism” (as supported by ). We 
observed mentions of various squads such as “Mirai squad”, “Sakurajima”, “JACKY”, “Zapa” 
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and “DDOSGUNG”. Some messages even mention a recently established U.S. branch of 


Killnet: 


WE ARE KILLNET © 


§ We are joined b 
" 


yber fighters from the United States of 
Am 
KILLNET U 
are making 
Boeing company 


s a compliment, our co 
e network info structures of the 


Mepuik 
«KILLNET USA» 
Hawn Konneru npo 
wHóocrpykrypbi kodnaHuM bouHr! 


974 @10 


ecTBe KOMIMMeHTa 
OBaHHYW aTaKy Ha CeTeBbie 


dd 


Several messages in the chat suggest that 


WE ARE KILLNET & 

| don't think this attack on the Boeing makes sense. But our 
colleagues from the United States of America thought so. | 
welcome any help to achieve our common mission to stop the 
aggression against Russia. All people in the world must understand 
that we are fighting Nazism, this is the sacred duty of every sane 


person! 


J Even if CIA agents do this for us, it does not affect our work. 
Therefore, we will not create provocations for KILLNET. Let 
everyone do what they want! 


520 @&4 


the main type of attack is L4/L7 DDoS (e.g., SYN 


flood or resource exhaustion via massive amounts of POST/GET requests). Several “groups” 
within Killnet seem to get attack orders from the chat (or other chats) directly: 


* OTP5 "MIRAI" 


Npuctynute K arake Ha cereByio NHOO crpykrypy l'epuaHuM. 


@ Bawa ataka aBnaeTca nporecroM npaBurenbcray l'epMaHu, 


Mbi TIDOTMB NOCTABOK OpPyYXNA Ha YkpauHy. 


L7/4 Ñ 443 POST 

77.87.229.14 

(B oenepaneuas nonnyna 
https://www.bundespolizei.de/ 

€ https://check-host.net/check-report/95f091 ek88e 


L4/7 443/80 

80.2 52.130 

@ epepantHoe ynpagneuve 

https://bka.de/ 

€ https://check-host.net/check-report/95f0b99kf5 


L4 Ñ 443 GET 

193.197.148.208 

® Konbi - baneH BropteH6epr 
https://www.polizei-bw.de/ 
https://check-host.net/check-report/95ee5cfkc33 


L4/7 & 443/80 GET 

195.200.71.149 

(B Kons - 5agapna 

https://www.polizei.bayern.de/ 

€ https://check-host.net/check-report/95eeb79k5a8 


77 &7 
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WE ARE KILLNET © 
ded from JIETMOH - KABEP CNEUHA3 PO 
AAIL - 4.5 MH nonb3oBgateneñ 


Forw 


M OTpAAaM K Boro 


©: 3c 


TOHMR 


Amepuika 


11 


Killnet 


The attack methods and the networking ports involved seem to correspond to the evidence of 
the Killnet attack traffic that reached our Honeypot (see the previous Section). 


2.3. “Wawsquad” and Telegram copycats 


The official Telegram chat often contains messages about various “copycats” that either 
pretend to be Killnet or refer to themselves as their associates: 


MOUJEHHMKM 


Y Hac HeT BoTos n Apyrux rpynn kpoMe opuuManbHoro Kanana! 
KILLNET: 
OBO3PEBATEJ/Ib: 
AAMMH 


Wro6b! He oun6arbcs, UCNONb3yiTe Hau! OM®UUMAaNbHbIN cañt 


- yepe3 KOHTakKTb! Bbi nonagere K HacTORUJMM B/la/e/IbLjaM 


We have also found several chats that attempt to mimic the original one. It seems that while 
some intend to commit scams by offering bespoke “DDoS-as-a-Service” piggybacking on all 
the news behind Killnet, others do it out of pure desire of someone else's "glory." For example 
there is another chat in Telegram that attempts to “typosquat” the name of the original one. 
The original one is shown on the left, and the fake one is shown on the right: 
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Channel Info Channel Info 


WE ARE KILLNET G |- ~ WE ARE KILLNET © 


t.me/killnet channell 


) > 
© Mo scem Bon a t port Xoueuib K Ha 

© PeaepBHbii G g @wawin 

O JlernoH @Leg 


Notifications 


Notifications 
VIEW CHANNEL 


VIEW CHANNEL 
2 shared links 


159 photos 


This particular “copycat” leads to another channel called “WAWHACKERS,” and the 
participants in the chat seem to share similar political views of the original Killnet. The 
WAWHACKERS have several web resources: an official website (“wawsquad[.]cf’) and 
software archive (“checknetlab[].wawsquad[.|cf) where they advertise free and non-free 
hacking software “coming from their lab.” 


However, after a few minutes of browsing it becomes clear that the group is not affiliated with 
Killnet. For example, a piece of software listed as “ROCH Experimental Subsystem” is nothing 
but a simple python script packed as a Windows executable: 


wawsquad.cf 


ROCH Experimental Subsystem 


Opportunities 


A * Working with the command shelf 
* Fil > algorithm 
* Ch access to the site 


Download 
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The script contains basic functionality for checking whether a website is available (that is, 
returns HTTP code 200), local shell functionality, basic local file encryption and “feedback” that 
allows to send questions and bug reports to the authors. This last feature uses a pair of 
hardcoded Google mail addresses so that the bug reports created within the tool are sent as 
email messages from one hardcoded account to another. It also helps to reveal the identity of 
the author. The screenshots below show the python disassembly fragments related to this 
functionality: 


LOAD_FAST 
LOAD_METHOD 
LOAD STR 


LOAD STR 
CALL METHOD 2 
POP TOP 
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LOAD_GLOBAL 

LOAD STR “Enter your name: 
CALL FUNCTION 1 Bu 

STORE FAST 'name' 


LOAD GLOBAL 

LOAD STR 'Enter your problem: 
CALL FUNCTION 1 ix 

STORE FAST 'mistake' 


LOAD GLOBAL print 
LOAD GLOBAL Fore 
LOAD ATTR BLUE 
CALL FUNCTION 1 EE 
POP TOP 


LOAD GLOBAL print 


LOAD STR "[~]Sending log..." 
CALL FUNCTION 1 T 
POP_TOP 


SETUP_FINALLY 58 ‘to 258' 


LOAD_FAST 'smtp' 

LOAD METHOD sendmail 

LOAD STR 'nikanat500jgmail.com' 
LOAD STR "'alekmalekov500)gmail.com' 
LOAD STR '3npaBcTBylre, A 

LOAD FAST "name" 

BINARY_ADD 

LOAD STR '. Moa npo6nema: ' 
BINARY ADD 

LOAD FAST 'mistake' 

BINARY ADD 

CALL METHOD 3 


It seems that both email accounts belong to someone called “Aleksey” or "Alexandr" 
"Malekov". The hardcoded password “Rapid7Rapid8” was recently changed on the first email 
address, but not on the second one. 


After looking a bit more at the chat messages and other resources provided by this particular 
“copycat” and several others, it has become clear that they are not part of the “official” Killnet 
and are likely being run by minors who are learning their way around programming and 
cybersecurity. However, these minors share and spread the political beliefs of the original 
Killnet, which shows the adverse effect of cyber propaganda. 
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3. loCs 


Description 


5.2.69.50 


IPv4 address 


IP address using TTPs similar to Killnet 


92.255.85.237 


IPv4 address 


IP address using TTPs similar to Killnet 


92.255.85.135 


IPv4 address 


IP address using TTPs similar to Killnet 


173.212.250.114 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


144.217.86.109 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


156.146.34.193 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


162.247.74.200 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


164.92.218.139 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


171.25.193.25 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


171.25.193.78 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


185.100.87.133 


185.100.87.202 


185.129.61.9 


IPv4 address 


IPv4 address 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


IP address used in Killnet attacks and observed on our honeypots 


IP address used in Killnet attacks and observed on our honeypots 
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185.220.100.241 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


185.220.100.242 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


185.220.100.243 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


185.220.100.248 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


185.220.100.250 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


185.220.100.252 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


185.220.100.255 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


185.220.101.15 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


185.220.101.35 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


185.220.102.242 


185.220.102.243 


185.220.102.253 


IPv4 address 


IPv4 address 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


IP address used in Killnet attacks and observed on our honeypots 


IP address used in Killnet attacks and observed on our honeypots 


185.56.80.65 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


185.67.82.114 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


185.83.214.69 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


195.206.105.217 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 
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199.249.230.87 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


205.185.115.33 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


209.141.57.178 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


209.141.58.146 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


23.129.64.130 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


23.129.64.131 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


23.129.64.132 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


23.129.64.133 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


23.129.64.134 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


23.129.64.137 


23.129.64.139 


23.129.64.142 


IPv4 address 


IPv4 address 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


IP address used in Killnet attacks and observed on our honeypots 


IP address used in Killnet attacks and observed on our honeypots 


23.129.64.147 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


23.129.64.148 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


23.129.64.149 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


23.129.64.210 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 
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23.129.64.212 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


23.129.64.213 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


23.129.64.216 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


23.129.64.217 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


23.129.64.218 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


23.129.64.219 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


45.153.160.132 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


45.153.160.139 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


45.154.255.138 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


45.154.255.139 


45.227.72.50 


72.167.47.69 


IPv4 address 


IPv4 address 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


IP address used in Killnet attacks and observed on our honeypots 


IP address used in Killnet attacks and observed on our honeypots 


81.17.18.58 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


81.17.18.62 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 


91.132.147.168 


IPv4 address 


IP address used in Killnet attacks and observed on our honeypots 
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Mitigation Recommendations 


Follow the NCSC-UK’s guide on Denial of Service attacks, which includes a preparation phase of 
understanding weak points in your service, ensuring that service providers can handle resource 
exhaustion, scaling the service to handle concurrent sessions, preparing a response plan and stress 
testing systems regularly. 

Monitor the activity of hacktivist groups on Telegram, Twitter and other sources where attacks are 
planned and coordinated. 

Identify and patch vulnerable loT devices to prevent them from being used as SSH tunnels or part of 
DDoS botnets. 

Change defaults or easily guessable passwords of loT devices. 

Monitor the traffic of loT devices to identify those being used as part of distributed attacks. 
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